I have a Ubuntu 10.04 proxy server exposed to the internet and I have SSH Server on it to manage it from internal LAN and from remote. It feels simply unsafe, even if I'm using strong passwords... I thought about disabling ssh on the internet side but then I'd lose functionality. Is there any workaround? I look for a very very short list of "must do" to improve security.
6 Answers
theres 2 further things you can do to enhance ssh security:
switch to public key only ssh logins as detailed here: How do you setup ssh to authenticate using keys instead of a username / password?
then you can restrict SSH logins to specific IP's as detailed here: how to restrict ssh login to a specific ip or host
if those methods are setup correctly then to get in, someone needs to connect from your IP address with your private key file
 
    
    - 3,983
- 2
- 20
- 24
I'd like to add only one thing to all those answers:
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Here is a (broken) rrd graph from the active bans on my server :

Graphed by munin with the fail2ban plugin.
 
    
    - 5,287
- 25
- 42
- 
                    That's simply wow – Pitto May 27 '11 at 12:09
- 
                    There is also denyhosts: http://denyhosts.sourceforge.net/ "DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks)." – HTTP500 Jun 13 '11 at 21:45
- 
                    How've you got RRDtool graphing it? I've had a google but I think my google-foo must be low at the moment as I couldn't find anything. – Phil Jun 13 '11 at 23:08
- 
                    this one was made using munin. http://exchange.munin-monitoring.org/plugins/fail2ban/details. – petrus Jun 14 '11 at 07:30
Enable key-based authentication, and turn off challenge-response / password authentication. This will make it as secure as it needs to be.
Additionally I'd ensure that your iptables rules only allow SSH access from your own IP address/range (if this is possible).
 
    
    - 1,001
- 6
- 5
Besides strong passwords, one additional thing you can do is restrict accounts that can log in.
in sshd_config:
AllowUsers myaccount
Also, set PermitRootLogin no.
 
    
    - 331
- 1
- 6
As addition to the answers above you can do the following to secure your ssh access even more:
Change the default SSH Port
Usually bots are trying to access the default port 22/tcp and try to login with different usernames (root, admin, etc). This attacks are usually no issue if you're using strong passwords, or better keys, and do not permit root logins.
The annoying this is that the unsuccessfull login attempts are spamming your security logs and if anything happens it will be hard to find the correct entry.
Enable Port knocking
Port Knocking is a nice idea. The default ssh port is closed until you knock on one or multiple ports in the correct order. The ssh port is then opened automatically and you can login.
As usuall someone already implemented it ;-) Here the documentation: https://help.ubuntu.com/community/PortKnocking
 
    
    - 13,019
- 4
- 35
- 45
 
    
    - 1,118
- 1
- 7
- 11
Would disabling password authentication and requiring public-key based be OK with you?
You could also disable ssh completely, if you have some remote HW management solution, like remote console (IBM RSA or HP ILO). If you have physically separate management and production LANs, then it wouldn't be possible to break into the server by logging into it.
 
    
    - 6,451
- 19
- 23
 
    